Defining the SAM Pro’s Role in Data Privacy
As software and IT asset managers gather increasing amounts of data about employee use of company systems, concerns arise over employee privacy. How can the need to monitor access to software and systems be balanced with local legislation designed to protect employees' privacy rights in the work place?
This is the concern attendees at the 2014 SAM Summit London will discuss in a keynote session with European privacy and digital analytics specialist Aurélie Pols, co-founder and chief visionary officer at Mind Your Privacy.
"As more employers let workers bring their own devices to the office or access company data in the cloud from home, software asset managers are faced with a new task," says Pols. "They have to ensure that the measurements and controls put in place to secure data and license compliance, are not violating employee privacy."
An employee's right to privacy is defined in local law, posing a challenge for companies that operate throughout Europe. Spain has one of the strictest data protection laws in Europe, notes Pols, who is based in Madrid. "When it comes to fines issued by data protection authorities in Europe, Spain accounts for 80 percent of them," she says. This has turned Spain into a country where corporate lawyers, and IT managers, make sure they have the right processes in place to avoid the legal risks surrounding improper data collection and use.
The Spanish model has become the ideal to apply to client environments throughout Europe, notes Pols. " We try to find the best and most homogenous set of data governance practices that will work worldwide to ensure minimal risk—and maximum compliance."
Best practices of data use
The first data governance challenge for software and IT asset management professionals is to define what kind of data they are collecting from their workforce and how it will be used.
"Of course the software asset manager wants to track employee usage to ensure that data is not leaked or improperly accessed, but a subset of this activity is that suddenly you have data about what employees are doing," notes Pols. "This can run afoul of privacy laws unless there's close collaboration with the HR department."
Companies are now faced with the question: Do we want to use this data on employee activity, and if so, for what purpose? Do we want to use it within certain teams to assess whether certain employees are productive? Do we want to use this to assure that they are using the right processes?
"Before you measure, you need to know what and why you’re measuring," says Pols. "Although the software asset manager isn’t going to be looking at this employee data, they do need to ensure that any data collected is done in accordance with local laws."
Harnessing the Power of GenAI for BI and Reporting.pptx
Storm on the Horizon: Data Governance & Security vs. Employee Privacy
1. Data Governance and Security
vs. Employee Privacy
Storm on the Horizon
October 21 2014
SAM Summit London
Aurélie Pols
@aureliepols
2. Aurélie Pols
Chief Visionary Officer
& co-founder
Mind Your Privacy
@aureliepols
Presented by: Aurélie Pols
@AureliePols
• Grew up in the Netherlands, Dutch passport
• French mother tongue
• Most of my friends are bilingual at least
• Have Polish & Russian origins
• Co-founded 1st start-up in Belgium in 2003
• Sold it to Digitas LBi (Publicis) UK in 2008
• Moved to Spain in 2009
• Created 2 other start-ups in Spain in 2012
Mind Your Group, Putting Your Data to Work
Mind Your Privacy, Data Science Protected
Yes, a “law firm” but we prefer to say
a bunch of Data Scientists working with
a bunch of Lawyers
3. SUN on Privacy: Get over It!
“You have zero privacy
anyway, get over it”,
Scott McNealy, CEO of
Sun Microsystems,
January 1999
At eMetrics in Boston in 2006, this turned into
“Privacy is Dead Aurélie, get over it!”
Presented by: Aurélie Pols
@AureliePols
4. EU fines?
Spain: responsible for 80% of data protection fines in the EU
Source: http://i0.kym-cdn.
com/photos/images/newsfeed/00
0/242/381/63a.jpg
Presented by: Aurélie Pols
@AureliePols
Source:
http://www.mindyourprivacy.com/downlo
ad/privacy-infographic.pdf
5. Data: 3 types vs. Privacy
1. Customer data
Visitor, prospect, citizen, voter, …
2. Competitive data
Market share, IP, …
3. Employee data
Presented by: Aurélie Pols
@AureliePols
Source: http://ochuko.files.wordpress.com/2010/04/sides-of-a-coin.jpg
6. (mere)
Server access control
- $ / € / £
- License
compliance
SERVER
Soft.
Licenc.
Mang.
Corporate
use only COPE BYOD
(multi) device control
user profiling ↵
CLOUD
[SaaS]
A B C
7. Summary
• How to reconcile Privacy viewpoints on a
Global Level (US, EU, APEC)
• Key Legal concepts to collaborate with Legal
Council
• The current challenge for SAM & employee
data
• 7 Rules to collect employees’ data without
invading their privacy
• Q&A
Presented by: Aurélie Pols
@AureliePols
8. US, EU, APEC
RECONCILING GLOBAL PRIVACY
VIEWPOINTS
Presented by: Aurélie Pols
@AureliePols
9. National Security vs. Privacy
Presented by: Aurélie Pols
@AureliePols
Data
Retention
vs.
Data
Protection
Source: http://i.telegraph.co.uk/multimedia/archive/01598/bull-fighting_1598386i.jpg
Eg. DRIP (UK,
passed), SOPA (US:
Stop Online Piracy
Act, similar to
French HADOPI) &
PIPA (US: Protect IP
Act)
11. Regulatory Law
“Every country is a little different.
You run into different regulatory regimes and you need
to make sure you have the right tools so that people
can implement the right policies they are required to
by law…
They aren’t that different”
Source: Bloomberg Singapore Sessions
April 23rd 2014
http://www.bloomberg.com/video/big-data-big-results-singapore-
sessions-4-23-kHN5zrGbR_Wq6hbmV9~aXQ.html
Presented by: Aurélie Pols
@AureliePols
12. A Global Perspective
Presented by: Aurélie Pols
@AureliePols
US & UK EU APEC
Common Law Continental Law Continental
law
influenced
Class actions Fines
(by DPAs: Data Protection Agencies)
Privacy Personal Data Protection (PDP)
Business focused Citizen focused: data belongs to the
visitor/prospect/consumer/citizen
Patchwork of sector based
legislations: HIPPA, COPPA,
VPPA, …
Over-arching EU Directives &
Regulations
PII: varies per state Risk levels: low, medium, high,
extremely high
13. If you collect PII… then
Presented by: Aurélie Pols
@AureliePols
US & UK EU APEC
Common Law Continental Law Continental
law
influenced
Class actions Fines
(by DPAs: Data Protection Agencies)
Privacy Personal Data Protection (PDP)
Business focused Citizen focused
Patchwork of sector
Over-arching EU Directives &
based legislations:
Regulations
HIPPA, COPPA, VPPA,
…
PII: varies per state Risk levels: low, medium, high,
extremely high
14. PII vs. Risk levels
Presented by: Aurélie Pols
@AureliePols
Low
Medium
(profiling)
High
(sensitive)
Risk
level
Extremely high
(profiling of sensitive data)
Data type
Information Security Measures
PII
15. Where to start?
Compliance?
Privacy?
Security?
Presented by: Aurélie Pols
@AureliePols
Moving targets
16. The “Magnum” Plan
• Document your data set-up
• Set-up a compliance check-list:
– Applicable legislations to your sector
– Territorial scope
• Evaluate your risk
• Follow-up with information security measures
(data protection)
• Risk Management: Adopt global & sustainable
Privacy best practices
Presented by: Aurélie Pols
@AureliePols
17. Or in a nutshell: steps 1-2-3
1 2 3
Which
legislation(s)
does your
company need
to respect?
Region/country,
sector,
type/groups of
data
Presented by: Aurélie Pols
@AureliePols
What are the
risks?
Fines, class
actions, customer
complaints,
security breaches
What is the
trade off?
Compliance vs.
data, business
needs and
technology
Competences:
Legal/Compliance
(matrix)
Competences:
Risk management
Competences:
Business, understanding
risks vs. rewards, for data
and technology
19. What an employer should tell an
employee – UK legislation
An employee has the right to be told:
• What records are being kept and how they’re used
• The confidentiality of the records
• How these records can help with their training and
development at work
If an employee asks to find out what data is kept on them, the
employer will have 40 days to provide a copy of the information.
An employer shouldn’t keep data any longer than is necessary
and they must follow the rules on data protection.
Source: https://www.gov.uk/personal-data-my-employer-can-keep-about-me
Presented by: Aurélie Pols
@AureliePols
20. Privacy cheat sheet
LEGAL CONCEPTS TO EFFICIENTLY
COLLABORATE WITH LEGAL COUNCIL
Presented by: Aurélie Pols
@AureliePols
21. Data lifecycles
Analytics => Follow the Money
Privacy => Follow the Data
Legal: Procedures/Processes, Compliance & Risks Assessments
Presented by: Aurélie Pols
@AureliePols
22. Fair Information Privacy
Practices (FIPPs)
Presented by: Aurélie Pols
@AureliePols
Source:
https://security.berkeley.edu/sites/default/files
/uploads/FIPPSimage.jpg
23. FIPPs: Fair Information Practice Principles
These principles are not laws, they form the backbone of privacy law and provide
guidance in the collection, use and protection of personal information
Transparency ensures no secrete data collection; provides information about the
collection of personal data to allow users to make an informed choice
Choice gives individuals a choice as to how their information will be used
Information review & correction allows individuals the right to review and
correct personal information
Information protection requires organizations to protect the quality and
integrity of personal information
Accountability holds organizations accountable for complying with FIPPs
Presented by: Aurélie Pols
@AureliePols
24. Purpose, Consent & Data Uses
From:
Presented by: Aurélie Pols
@AureliePols
Purpose
Consent
FIPPs
Data for
approved
use
Purpose
Consent
FIPPs
To:
New
business
opportunity
Data analysis
or merging
Big Data is Killing the Privacy Framework
25. Presented by: Aurélie Pols
@AureliePols
Entreprise goal
User goals
Privacy Policy
Requirements
Privacy
Mechanisms
Procedures
& Processes
Privacy Awareness
Training
Quality Assurance
Quality
Assurance
Feedback
26. Privacy by Design (PbD)
7 Fundamental Principles
Ann Cavoukian – Information & Privacy Commissioner Ontario, Canada
1. Proactive not Reactive; Preventive not Remedial: PbD anticipates and prevents
Privacy-invasive events before they happen
2. Privacy as the Default Setting: PbD seeks to deliver the maximum degree of
Privacy by ensuring that personal data are automatically protected in any given IT
system or business practice
3. Privacy embedded into Design: It is not bolted on as an add-on, after the fact. It’s
an essential component of the core functionality being delivered
4. Full-functionality – Positive Sum not Zero Sum: no trade-offs, no false
dichotomies
5. End to End Security – Full Lifetime Protection: cradle to grave lifecycle
management of information, end-to-end
6. Visibility and Transparency – Keep it Open: operating according to the stated
promises and objectives, subject to independent verification
7. Respect for User Privacy – Keep it User-Centric: strong Privacy defaults,
appropriate notice, and empowering user-friendly options
Presented by: Aurélie Pols
@AureliePols
28. The good old days
Uber simplified
Presented by: Aurélie Pols
@AureliePols
(mere)
Server access control
$ / € / £
License compliance
SERVER
Soft.
Licenc.
Mang.
29. (mere)
Server access control
- $ / € / £
- License
compliance
SERVER
Soft.
Licenc.
Mang.
Corporate
use only COPE BYOD
(multi) device control
user profiling ↵
CLOUD
[SaaS]
A B C
30. Corporate use only, COPE or BYOD?
Corporate Owned, Personally Enabled (COPE)
– IT defines supported devices
– (Remote) Control over devices
Presented by: Aurélie Pols
@AureliePols
• Wipe clean when theft
• Access management
The company chooses between A, B or C
And follows up with controls and processes
(here out of scope)
31. (mere)
Server access control
- $ / € / £
- License
compliance
SERVER
Soft.
Licenc.
Mang.
Corporate
use only COPE BYOD
(multi) device control
user profiling ↵
CLOUD
[SaaS]
A B C
32. Consequences for SAM
Changes to take into consideration:
1. Multi user device control
2. Create & manage user profiles
3. Increased use of SaaS & the cloud
Typical example for (digital) marketing:
Source: http://hbr.org/2014/07/the-rise-of-the-chief-marketing-technologist/ar/1
Presented by: Aurélie Pols
@AureliePols
33. It’s about the data exhaust
Changes to take into consideration:
1. Multi user device control
2. Create & manage user profiles
3. Increased use of SaaS & the cloud
Creating a data exhaust your company will want
to leverage
Presented by: Aurélie Pols
@AureliePols
34. What does this mean?
Issues to be tackled:
1. Purpose definition
Presented by: Aurélie Pols
@AureliePols
• Consent? Opt-in, opt-out
2. Data ownership
3. Local compliance
• For your company with respect to your employees
• For the SaaS/cloud provider used with respect to
Privacy right
4. Security
Accountability
35. [EU Cookie Directive: implicit consent]
Opt-in vs. Opt-out strategies & consequences on data collection
Source: http://chinwag.com/files/images/photos/ico-traffic-post-cookie-graph.gif
Presented by: Aurélie Pols
@AureliePols
36. Presented by: Aurélie Pols
@AureliePols
HQ LOCAL
SUBSIDIARY
1
Employee
Terms &
Conditions
Applicable Security Measures???
LOCAL
SUBSIDIARY
1
LOCAL
SUBSIDIARY
2
LOCAL
SUBSIDIARY
3
LOCAL
SUBSIDIARY
4
Moving to the cloud/SaaS
38. Purpose, Consent & Data Uses
From:
Presented by: Aurélie Pols
@AureliePols
Purpose
Consent
FIPPs
Data for
approved
use
Purpose
Consent
To:
New
business
opportunity
Data analysis FIPPs
or merging
39. Respect Employee Privacy
7 RULES TO COLLECT EMPLOYEES’
DATA WITHOUT INVADING THEIR
PRIVACY
Presented by: Aurélie Pols
@AureliePols
40. 1. Find a sponsor, often HR
2. Have an hypothesis
• Purpose
3. Default to anonymity and aggregation
4. If you can’t let employees be anonymous, let
them choose how you use their data
• Consent: opt-out vs. opt-in
5. Screen for confidential information
6. Don’t dig for personal information
7. For additional protection, consider using a
third party
Presented by: Aurélie Pols
@AureliePols
Source: http://blogs.hbr.org/2014/09/collect-your-employees-data-without-invading-their-privacy/
41. Legal base lines
Germany:
– Probably the strictest, start here if required
UK:
– Quick guide to the employment practices code,
Presented by: Aurélie Pols
@AureliePols
chapter 5
http://ico.org.uk/for_organisations/data_protection/topic_guides/~/media/documents/library/Data_Protection/Practical_app
lication/quick_guide_to_the_employment_practices_code.pdf
US:
– Use California as a reference to start with:
http://oag.ca.gov/privacy/workplace-privacy
42. Reminder: steps 1-2-3
1 2 3
Which
legislation(s)
does your
company need
to respect?
Region/country,
sector,
type/groups of
data
Presented by: Aurélie Pols
@AureliePols
What are the
risks?
Fines, class
actions, customer
complaints,
security breaches
What is the
trade off?
Compliance vs.
data, business
needs and
technology
Competences:
Legal/Compliance
(matrix)
Competences:
SAM + manager
who wants to use
the employee data
exhaust?
Competences:
HR, legal, manager, SAM?